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Description 



METHOD OF SPEEDING UP PACKET 

FILTERING 

Background of Invention 
[000 1 ] 1. Field of the Invention 

[0002] The present invention relates to a method of speeding up 
packet filtering, and more particularly, to a method of 
speeding up packet filtering with a search filter used in a 
network security apparatus. 

[0003] 2. Description of the Prior Art 

[0004] Th e | as t development of networking technology facilitates 
rapid transmission of large amounts of data among differ- 
ent places in the world. How to improve network security 
becomes an important issue. In an ordinary computer net- 
working system, several networking apparatuses con- 
nected to a backbone network, such as a virtual private 
network (VPN), a gateway, and a router mostly have fire- 
walls disposed therein or the outside thereof. Such firewall 



that provides a mechanism of packet filtering implements 
protection in the IP Layers. The packet filtering principle 
of the mechanism is to check each out-coming packet 
passing through the firewall with using a firewall rule pre- 
defined by users. However, each firewall rule indicates a 
cost in searching, which includes time consumption, Isys- 
tem loading, and labor power. Excess firewall rules or ex- 
cess details defined within the rules can result in higher 
accuracy in searching but higher searching costs. If it 
spends too much time to process packets, the perfor- 
mance of the whole networking will decrease or the net- 
work congestion will occur. This situation is not desirable. 
On the other hand, only considering the searching cost 
but neglecting the protection score of a firewall would re- 
sult in the degradation of the performance of the firewall. 
Therefore, one thing to consider when designing a firewall 
is to filter packets accurately with the lowest possible 
cost. 

[0005] a conventional method of packet filtering is to determine 
if each out-coming packet is in a score defined by the 
firewall rules. A commonly used one of the methods, 
called "linear search", is to respectively check the received 
packets with each firewall rule. In addition, some im- 



proved methods apply known searching algorithms on fil- 
tering packets that are harmful or suspected. However, 
most packets that the firewall receives are not included in 
the score defined by the firewall and thus are unharmful. 
In other words, most packets can pass the filtering of a 
firewall. It means that most searching algorithms spend 
too much searching cost, i.e. time, in filtering packets that 
need not be filtered. 
[0006] jo overcome the disadvantages of the prior art, the 

present invention utilizes a search method of low cost be- 
fore searching packets to find most well-behaved packets 
and let them pass the firewall, and leave a small amount 
of packets having problems checked by the conventional 
ways so as to lower searching cost without modifying any 
firewall rule. 

[0007] The present invention utilizes a search filter to solve the 
problems described above. "Search filter" is the method of 
searching words or documents proposed by Severance 
and Lohman in 1976. The principle of the method is that: 
selecting a Hash function, such as MD5 first; taking a 
value to be searched, such as "m", as the "key" of the 
Hash function, such as f(m) to perform Hush operation 
and obtain a proper data structure arrangement; and us- 



ing the data structure to select the values to be checked. 

When a key is selected, it is not sure that the key can be 

fined in a search set according to the property of search 

filter, because the Hash space that the search filter uses is 

limited. On the other hand, when a key selected does not 

belong to a search set, the search filter determines that 

the key does not belong to the search set. 
Summary of Invention 

[0008] According to the claim 1, the present invention discloses a 
method of speeding up packet filtering used in a network 
security apparatus comprising: generating a first hash 
space according to at least one rule used to filter the 
packets received by the network security apparatus, and 
the first hash space presenting a mask characteristic value 
set; generating a second hash space according to at least 
one of the packets received by the network security appa- 
ratus, and the second hash space with the same size as 
the first hash space, presenting a packet characteristic 
value set; performing a specific Boolean operation with 
the first hash space and the second hash space; and de- 
termining whether the packet characteristic value set is 
out of the mask characteristic value set, according to the 
results of said Boolean operation, then it is decided 



whether the packet is allowed to pass through the net- 
work security apparatus. 
[0009] These and other objectives of the present invention will no 
doubt become obvious to those of ordinary skill in the art 
after reading the following detailed description of the pre- 
ferred embodiment that is illustrated in the various fig- 
ures and drawings. 
Brief Description of Drawings 

[0010] pig.l illustrates a network and firewall according to a pre- 
ferred embodiment of the present invention. 

[001 1] Fig. 2 illustrates a flowchart of speeding up packet filtering 
in the present invention. 

[0012] pig. 3 illustrates a flowchart of generating a packet charac- 
teristic value set. 

[0013] Fig. 4 illustrates a flowchart of a checking operation. 

Detailed Description 

[0014] please refer to Fig.l. Fig.l illustrates a network and fire- 
wall according to a preferred embodiment of the present 
invention. The invention is applied to a network security 
device, such as the firewall 20, and performs packet filter- 
ing with a plurality of pre-installed firewall rules 22 in the 
firewall 20. The firewall 20 can be connected between the 



Internet 10 (or other wide-area network) and a local area 
network (LAN) 30 as shown in Fig.l to filter all packets 
from the Internet 10. The packets which are determined to 
be acceptable after filtering can enter the LAN 30. 

[0015] According to the principles of a search filter described be- 
fore, method of speeding up packet filtering in the 
present invention includes: 

[0016] i, a method of generating a mask characteristic value set: 

[0017] (i) Predetermined conditions: 

[0018] ( a ) Suppose the firewall 20 in the Fig.l has N firewall rules 
{1 <i < N | r }, wherein each rule consists of five itmes: 

i 

{source network met , destination network met , source 

is id 

port rport , destination port rport , protocol rp}. Each 

is id i 

network in the above rules includes the IP addresses that 
users want to remove. 

[0019] (b) Predetermine K independent hash functions hi {1 < i < 
K}, (for example, two independent hash functions hi and 
h2 do not make ensure that if m^m 1 , hl(m)th2(m')) for 
generating a hash function space H. 

[0020] ( c ) Notice that the method of the present invention is lim- 
ited to the size of the predetermined hash space and the 
characteristics of the selected hash function. In addition, 



functions of the search filter mentioned above can be 
achieved by hardware or software. 
[0021] (2) Method flow: 

[0022] As the procedure S400 illustrates in Fig. 2, first define the 
volume of each hash space as the volume of output ad- 
dress space of each hash function h = C*K*L, wherein C is 

i 

a self-defined constant, and L is the number of bits in the 
IP addresses (take IPV4 for example, L=32). 
[0023] As the procedure S405 shows, the method extracts a 

source network met from each firewall rule. In the pro- 

i s 

cedure S410, the method converts the source network r 
.net s into the binary code (including bit values and ad- 
dresses). In the procedure S415, the method searches for 
a set of M relative addresses b (0 < b < L-l, 0 < m < 

m m 

M-l) which have bit values "1" from the codes of the 
source network met . In the procedure S420, the method 

i s 

sets each address having a bit value "1", source port r.port 
and protocol r p, to be the keys of the hash function and 

i 

substitutes the keys into K specific hash functions h (such 

i 

as h (b , r port , r p)) for hash calculation in order to get 

i m i s i 

K*M values k between 0 to (C*K*L)-1. These k are the 

j j 

relative addresses pointing to a hash space in the 
source network. As the described in the procedure S425, 



the set of the relative addresses pointing to a hash space 
H s can express the characteristic values of the source net- 
work r net in the hash space H . However, the keys of the 

i s s 

hash function mentioned before are chosen by the user, 
but they should be at least one of the address having a bit 
value "1", source port r port and protocol rp. For exam- 

i s i 

pie, the key of the hash function is the address having a 
bit value "1" in the network. 
[0024] Ljke the filtering procedure of the source network r.net s 
described before, the filtering procedures of the destina- 
tion network r net for the same firewall rule r are to re- 

i d i 

peat the procedures S400 to S250: by first converting the 
destination network met into the binary code (including 
bit values and address), then setting W addresses b (0 < 

w 

b < L-l, 0 < w< w-1) having bit value "1", destination 

w 

port r port and protocol r p as the keys of the hash func- 

i d i 

tion, and substituting the keys into K specific hash func- 
tions h (such as h (b , rport , rp)) for hash calculation in 

i i w i d i 

order to get K*M values k between 0 to (C*K*L)-1. These 
k include the relative addresses pointing to a hash space 
H in the destination network r net . The set of the relative 

d i d 

addresses pointing to a hash space H d can express the 
characteristic value of the source network r net in the 

i s 



hash space H . Notice that each hash space uses the same 

d 

C, K and L, so the size of the hash space H mentioned 

d 

above equals the size of the hash space H s , and also 
equals sizes of other hash spaces. 
[0025] | n the procedure S435 and the procedure S440, the 

method repeats the same calculations for networks of N 
firewall rules (include source network and destination net- 
work) and obtain a plurality of hash spaces H and H . In 

d s 

the procedure S430, the method collects the sets of the 
relative addresses of all masks pointing to the hash space 
H in the N firewall rules. For example, the method totals 
each bit value of the same addresses of all hash spaces H 

d 

and H in N firewall rules so that the characteristic value 

s 

sum of the masks in N firewall rules is presented in the 
same hash space H (H= H + H ). 

d s 

[0026] | n the procedure S445, the method sets the bit values 
which are out of the value "0" in the hash space H of the 
characteristic value sum to be "1". Otherwise, the method 
keeps the bit values "0" as "0". Finally in the procedure 
S450, the method obtains a mask characteristic value set 
of N firewall rules in the same hash space H. 

[0027] 2. A method of generating a packet characteristic value 
set: 



[0028] (i) Predetermined conditions: 

[0029] Suppose that each packet p to be checked includes: 
{source IP pip , destination IP pip , source port pport , 

s d s 

destination port pport , protocol pp }, and the method of 

d 

processing packets is similar to the method of processing 
networks mentioned before. The present invention defines 
the volume of another hash space H' = the volume of pre- 
vious hash space H= the volume C*K*L, and resets each 
bit to "0", and uses the same K hash functions h {1 < i < 

i 

K}. 

[0030] ( 2 ) Method flow: 

[0031] Firstly in the procedure S550, the method receives a 
packet p to be checked. In the procedure S505, the 
method extracts a source IP pip^ from the packet. In the 
procedure S510, the method converts the source IP pip s of 
the packet into binary code. In the procedure S505, the 
method searches for a set of M' relative addresses b (0 < 

m 

b 1 < L-l,01< m < M-l) which have bit values "1" from 

m 

the code of the source IP pip . In the procedure S520, the 

s 

method sets each address having a bit value "1", source 
port pport s and protocol pp, as the keys of the hash func- 
tion, and substitutes the keys into K hash functions h 



(such as h (b" , pport , pp)) for hash calculation in order 

i m s 

to obtain K*M values k between 0 to (C*K*L)-1. These k 

j j 

include the relative addresses pointing to a hash space H's 
in the source IP pip . As the described in the procedure 

s 

S525, the setting of the relative addresses pointing to a 
hash space H's can present the characteristics of the 
source IP pip s in the hash space H' . 
[0032] According to the same principles, if setting the destina- 
tion IP pip , the destination port pport , and the protocol 

d d 

pp as the keys of the hash function to perform calcula- 
tions of K hash functions, one converts destination IP pip 

d 

of the packet into a set of relative addresses pointing to a 
hash space H' . Thus, the mask characteristic values of the 
destination IP pip of the packet are presented in the hash 

d 

space H' . 

d 

[0033] | n the procedure S535, the method repeats the same cal- 
culations for other IP addresses in one packet. In the pro- 
cedure S530, the method collects the sets of the relative 
addresses of all IP addresses pointing to the hash space H' 
of the packet. For example, the method totals the bit val- 
ues belonging to the same address of all hash spaces H' 

d 

and H' and shows the packet characteristic value sum in a 

s 

hash space H' (H'= H' + H' ). In the procedure S540, the 

d s 



method sets the bit values which are out of the value "0" 
in the hash space H' to be "1", 0 < j < (K*M' )-l. Finally, in 
the procedure S545, the method obtains a packet charac- 
teristic value set in the hash space H\ 

[0034] Then, in the procedure S550, the method performs a 

Boolean operation checking. For the same hash space, the 
method checks the packet characteristic value set by the 
mask characteristic value set described above to deter- 
mine if the packet characteristic value set is covered in the 
mask characteristic value set. 

[0035] 3, Method of operation checking: 

[0036] First in the procedures S600 and S605, the method ob- 
tains a hash space H having a mask characteristic value 
set and a hash space H having a packet characteristic 
value set. In the procedure S610 and S615, the method 
performs the following Boolean operation: 

[0037] (HORH')XORH 

[0038] | n the procedure S620, the method determines the result 
of the above Boolean operation. If all the bits are "0", the 
method performs the procedure S640; the IP address of 
the packet p could be included in the mask characteristic 
value set of the N firewall rules. Then, as shown in the 



procedure S645, the method confirms the firewall rule or 
filters the packet in coordination with a further searching 
mechanism (with higher cost). Otherwise, if the results of 
the procedure S620 have at least one bit that is out of the 
value "0", it means, as shown in the procedure S625, the 
IP address of the packet p must not be included in the 
mask characteristic value set of the N firewall rules. Then, 
the method performs the procedure S630, allowing the 
packet to pass the firewall. 
[0039] Notice that if there is any other additional/reduced fire- 
wall rule, the mask characteristic value H in the hash 

c 

space of the rule should be found, and then the hash 
function having the mask characteristic value sum is 

H = H- H or H = H+ H , the method calculating the new 

c c 3 

mask characteristic value set. If the firewall rules need 
modifying, repeat the method described above and re- 
move the old rules and add the new rules to obtain a new 
mask characteristic value set. 
[0040] 4. Examples 

[0041] Suppose that a firewall has two firewall rules (N=2), as 
follows: 



Sequence 


Source 


Source 


Destination 


Destination 


Protocol 


Action 




Network 


Port 


Network 


Port 






1 


12.0.0.0/24 


0 


202.123721/32 


80 


1 


Accept 


2 


12.0.0.0/24 


0 


172.17.23.152/29 


23 


1 


Accept 



[0042] (wherein "0" in the communication port represents any 
port) 

[0043] Additionally, suppose another constant C=2, the size of 
each IP address L=32, and two independent hash func- 
tions are {1 < i < 2 | h } (K=2), so the size of each hash 

i 

function H = the size of each output addressing space = 
C*K*L = 2*2*32 = 128 bits. The method resets each bit to 
"0" and the hash function H becomes 



[0044] 



Address 


0 
















8 
















































127 


Bit 


0 


0 


0 


0 


0 


0 


0 


0 


0 


































0 


0 


0 


0 


0 


0 


0 



[0045] The method extracts a source network r net 

1 s 

(12.0.0.0/24) from the first firewall rule and converts the 
source network into binary code, as follows: 



Address 


31 


3029 


28 


27 


: 

2625 


24 


23 


22 


21 


20 


19 


18 


17 


16 


15 


14 


13 


12 


11 


- - 

10 


9 


8 


7 


6 


5 


4 


3 


2 


1 


0 


Bit 


0 


0 


0 


0 


1 


1 


0 


0. 


0 


0 


0 


0 


0 


0 


0 


0. 


0 


0 


0 


0 


0 


0 


0 


0. 


1 


1 


1 


1 


1 


1 


1 


1 



[0046] The method searches for a set of M relative addresses 
having bit value "1" from the binary code of the above. 



Therefore, we know: M=10, and the set of the relative ad- 
dresses = {bO, bl, b2, b3, b4, b5, b6, b7, b8, b9 } = 
{0,1,2,3,4,5,6,7,26,27 } 
[0047] The method sets the relative addresses mentioned above 
in which the binary bit values are "1", source port ^port 
s (0) and protocol ^pQ), as the keys of the hash function, 
and substitutes the keys into two hash functions h to ob- 

i 

tain the following 20 M xK address sets pointing to a 
hash function H : 

Is 

[0048] hl(0,0,l)=41, hl(l,0,l)=lll, hl(2,0,l)=41, 
hl(3,0,l)=39, 

[0049] hl(4,0,l)=100, hl(5,0,l)=42, hl(6,0,l)=l, hl(7,0,l)=21, 
[0050] hl(26,0,l)=92, hl(27,0,l)=4 

[0051] h2(0,0,l)=21, h2(l,0,l)=41, h2(2,0,l)=40, h2(3,0,l)=l, 

[0052] h2(4,0,l)=98, h2(5,0,l)=120, h2(6,0,l)=12, 

h2(7,0,l)=88, 
[0053] h2(26,0,l)=76, h2(27,0,l)=110 

[0054] According to the address sets pointing to a hash function 
H , the following shows the source mask characteristic 
value which presents the first firewall rule in the hash 
space H : 

K Is 

[0055] 



Address 0 


1 


2 


3 


4 


5 




7 


8 


g 


10 


11 12 


13 


14 


15 


16 


17 1 IS 


19 


20 


21 


22 


2? 


24 


25 


26 


27 


28 


29 


30 


31 


Bit 


0 


1 


0 


0 




o 


o 


o 


o 


o 


o 


0 


1 


o 


1] 


fj 


o 


0 


0 


o 


o 


1 


o 


o 


o 


o 


0 


0 


0 


[1 


0 


0 


Address 
Bit 

Address 


32 


33 


34 35 


36 


37 


36 


39 


40 


41 


42 


43 


44 


45 


46 


47 


48 


49 


50 


51 


52 


53 


54 


55 


56 


57 


58 


59 


60 


61 


62 


63 


0 


0 


0 


0 


o 


o 


o 


I 




1 


1 


0 


0 


q 


0 


q 


o 


0 


0 


0 


Q 


o 


o 


1] 


o 


o 


0 


0 


0 


[1 


0 


0 


64 65 66:67 


68 


69 


70 


71 


72 


73 


74 


75 


76 


77 


78 


79 


80 


81 


82 


83 


84 


85 


86 


87 


88 


89 


3 LI 


91 


92 


93 


94 


95 


Bit 


0 


0 


0 


0 


o 




o 


o 


o 


o 


o 


0 


1 


o 


0 


0 


0 


0 


0 


o 


0 


0 


o 


I] 


1 


0 


0 


0 


1 


[1 


0 


0 


Address 


96 97 


98 


99 


100 


101 


102 


103 


104 


105 


106 


107 


108 


109 


in: 


111 112 


113 


114 


115 


116)117 


118 


119 


120 


121 


122 


123 


124 


125 


126 


127 


Bit 


0 


0 


1 


0 


1 


0 


0 


0 


0 


0 


0 


0 


0 


0 


l 


1 


0 


III 


0 


0 


0 


0 


0 


0 


1 


0 


0 


0 


0 


[I 


0 


0 



[0056] The method extracts a destination network r net 

1 d 

(202.1.237.21/32) from the first firewall rule, and con- 
verts the destination network i^ne^ to binary code: 



Address 


31 


30 


29| 28l 2v[ 2&I 25|24 [231 22 


21 


20 


19 


18 


17 


16 


15 


14 


131211 


10 


9 


8 


7 


6 


5 


4 


3 


2 


1 


0 


Bit 


1 


1 


0 


0 


1 


0 


1 


0. 


0 


0 


0 


0 


0 


0 


0 


1. 


1 


1 


1 


0 


1 


1 


0 


1. 


0 


0 


0 


1 


0 


1 


0 


1 



[0057] The method searches for sets of W relative addresses hav- 
ing bit value "1" from the binary code of the destination 
network r net described above. Therefore, W=14, the 

Id ' 

sets of W relative addresses = {bO, bl, b2, b3, b4, b5, b6, 
b7, b8, b9, blO, bll, bl2, bl3} = 
{0,2,4,8,10,11,13,14,15,16,25,27,30,31} 
[0058] The method sets the relative addresses in which each bit 
value of the binary codes is "1" described above 
{0,2,4,8,10,11,13,14,15,16,25,27,30,31}, destination port 



r port (80) and protocol r p(l), as the keys of the hash 

Id 1 



function, and substitutes the keys into two hash functions 

h. to obtain the following 28 (K x W ) subsets of addresses 

that point to a hash space H : 
[0059] hl(0,80,l)=50 J hl(2 J 80,l)=76, hl(4,80,l)=43, 

hl(8,80,l)=66, 
[0060] hl(10,80,l)=9, hl(ll J 80,l)=12, hl(13,80,l)=21, 

hl(14,80,l)=36, 
[0061] hl(15,80,l)=61, hl(16,80,l)=58, hl(25,80,l)=81, 

hl(27,80 J l)=108 J 
[0062] hl(30,80,l)=52, hl(31,80,l)=12 

[0063] h2(0,80,l)=20, h2(2,80,l)=67, h2(4,80,l)=7, 

h2(8,80,l)=96, 
[0064] h2(10,80,l)=12, h2(ll,80,l)=84, h2(13,80,l)=61, 

h2(14,80,l)=29, 
[0065] h2(15,80,l)=17, h2(16,80,l)=77, h2(25,80,l)=20, 

h2(27,80,l)=99, 
[0066] h2(30,80,l)=121, h2(31,80,l)=41 

[0067] According to 28 sets of addresses that point to a hash 

space H , the destination mask characteristic value of the 

K Id 

first firewall rule is presented in the hash space H , and 
the method collects all sets of addresses in which all net- 
works pointing to a hash space H of the first firewall rule. 



In other words, the method totals the bits belonging to 



the same address in two hash spaces H and H in order 

K Id Is 

to present the mask characteristic value sum of the first 
firewall rule in the hash space H (H = H +H ): 

K Is Id 



[0068] 



Aidless 


0 


1 


2 


3 


4 


5 


6 


7 


8 


9 


10 


11 


12 


13 


14 


15 


16 


17 


IS 


19 


20 


21 


22 


23 


24 


25 


26 


27 


2S 


23 


30 


31 


r— 
Bit 


0 


1 


1 1 


1 1 


1 


1 1 


1 1 


1 


1 1 


1 


II 


II 


4 


II 


i 


II 


II 


1 


II 


1 1 


' A 




ii 


1 1 


1 1 


1 1 


1 1 


ii 


1 1 


1 


1 1 


ii 


Address 


32 


33 


34 


y. 


36 


37 


3S 


39 


40 


41 


42 


43 


44 


45 


4*3 


47 


48 


49 


50 


51 


52 


53 


54 


55 


56 


57 


5S 


59 


60 


61 


62 


63 


Bit 


0 


0 


0 


0 


1 


0 


0 


1 


1 


2 


1 


1 


0 


0 


0 


0 


0 


0 


1 


0 


1 


0 


0 


0 


0 


0 


1 


0 


0 


2 


0 


0 




64 


65 


66 


67 


68 


69 


70 


71 


72 


73 


74 


75 


76 


77 


7a 


79 


SO 


81 


82 


S3 


84 


S5 


S6 


87 


as 


S9 


90 


91 


92 


93 


94 


95 


Bit 


0 


0 


1 


1 


0 


0 


0 


0 


0 


0 


0 


0 


2 


1 


0 


0 


0 


1 


0 


0 


1 


0 


0 


0 


l 


0 


0 


0 


1 


0 


0 


0 




96 


97 


9S 


99 


100 


101 


102 


103 


104 


ICS 


106 


107 


ice 


109 


110 


111 


112 


113 


114 


115 


116 


117 


118 


119 


120 


121 


122 


123 


124 


125 


126 


127 


Bit 


1 


0 


1 


1 


1 


0 


0 


0 


0 


0 


0 


0 


l 


0 


1 


1 


0 


0 


0 


0 


0 


0 


0 


0 


1 


1 


0 


0 


0 


0 


0 


0 



[0069] The method extracts a source network r net 

2 s 

(12.0.0.0/24) from the second firewall rule. However, the 
source network r net is the same as source network r net 

2 s 1 

, so the operation procedure of the hash function is 
omitted. The hash function H is added directly in the 

2S 1 

above hash space H to total the bits. Thus, the hash func- 
tion H= H + H presents the mask characteristic value 

2S K 

sum, as follows: 
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[0070] Next the method extracts a destination network r net 

2 d 

(172.17.23.152/29) from the second firewall rule and 

converts the destination network r net into the binary 

2 d 1 

code, as follows: 
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[0071] The method searches for sets of W relative addresses hav- 
ing bit value "1" from the binary code of the destination 
network r net described above. Therefore, W=16, the 

2d 

sets of W relative addresses = { bO, bl, b2, b3, b4, b5, b6, 
b7, b8, b9, blO, bll, bl2, bl4, bl4, bl5 } = 
{0,1,2,3,4,7,8,9,10,12,16,20,26,27,29,31} 
[0072] The method sets the relative addresses in which each bit 
value of the binary code is "1" described above 
{0,2,4,8,10,11,13,14,15,16,25,27,30,31}, destination port 



r 2 port d (80) and protocol rjp(l), as the keys of the hash 

function, and substitutes the keys into two hash functions 

h. to obtain the following 32 (K x W ) sets of addresses 

that points to a hash space H : 
[0073] hl(0,23,l)=3, hl(l,23,l)=69, hl(2,23,l)=30, 

hl(3,23,l)=0, 
[0074] hl(4,23,l)=56 J hl(7 J 23,l)=59, hl(8,23,l)=83, 

hl(9,23,l)=46, 
[0075] hl(10,23,l)=31, hl(12,23,l)=47, hl(16,23,l)=61, 

hl(20,23 J l)=79 J 
[0076] hl(26,23 J l)=13 J hl(27,23,l)=17, hl(29,23,l)=28, 

hl(31,23,l)=82 
[0077] h2(0,23,l)=13, h2(l,23,l)=9, h2(2,23,l)=82, 

h2(3,23,l)=10, 
[0078] h2(4,23,l)=109, h2(7,23,l)=34, h2(8,23,l)=79, 

h2(9,23,l)=22, 
[0079] h2(10,23,l)=59, h2(12,23,l)=Hl, h2(16,23,l)=12, 

h2(20,23,l)=7, 
[0080] h2(26,23,l)=109, h2(27,23,l)=107, h2(29,23,l)=3, 

h2(31,23,l)=55 

[0081] According to the 32 sets of addresses that point to a hash 
space H 2d , the method presents the destination mask 
characteristic value of the second firewall rule in the hash 



[0082] 



space H , and adds the hash space H 2d into the previous 
hash space H. Thus, the method totals the bit values be- 
longing to the same address and presents the mask char- 
acteristic value sum of the whole firewall rules in the hash 
space H (H = H+ H^). 
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[0083] jhe method set the bit values which are out of the value 
"0" in the above mask characteristic value sum to "1" so as 
to present mask characteristic value sets of all firewall 
rules in the hash space H. 

[0084] 
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[0085] As long as the firewall receives a packet p that tries to 

pass the firewall (pip , pport , pip , pport , pp)=(12.0.0.4, 

s s d d 

1067, 172.17.23.153, 80, 1), the method of processing 
the packet is similar to the method of processing the fire- 
wall rules, which utilizes two equivalent (K=2) hash func- 
tions h {1 < i < 2 } to define a hash space H'=C*K*L=128 

i 

bit of the same size, and each bit value is reset to "0" as 
follows: 
[0086] Hash space H' 
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[0087] The method extracts a source IP pip^ (12.0.0.4) from the 
packet and convert the source IP into the binary code, as 
follows: 
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[0088] The method searches for sets of M' relative addresses 

having bit values of "1" from the binary code of the source 
IP pip described above. Therefore, M'=3, the sets of M' 

s 

relative addresses {b0, bl, b2}={2,26,27}. 

[0089] Subsequently, the method sets the relative addresses in 
which each bit value of the binary code is "1" described 
above {2,26,27}, source port pport_ (1067) and protocol 
pp (1), as the keys of the hash function, and substitutes 
the keys into two hash functions h to obtain the following 
6 (K x M) sets of addresses that points to a hash space H": 

[0090] hl(2,1067,l)=61, hl(26,1067,l)=10, hl(27,1067,l)=lll 

[0091] h2(2,1067,l)=39, h2(26,1067,l)=46, h2(27,1067,l)=12 

[0092] According to 6 sets of addresses that point to a hash 

space H', the following presents the source packet charac- 
teristic value: 



[0093] 
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[0094] The method extracts a destination IP pip (172.17.23.153) 

d 

from the same packet and converts the destination IP pip 

d 

into binary code, as follows: 
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[0095] jhe method searches for sets of M' relative addresses 

having bit values of "1" from the binary code of the desti- 
nation IP pip described above. Therefore, W=14, the sets 

d 

of the relative addresses = {b0, bl, b2, b3, b4, b5, b6, b7, 
b8, b9, blO, bll, bl2, bl3} = 
{0,3,4,7,8,9,10,12,16,20,26,27,29,31}. 
[0096] jhe method sets the relative addresses in which each bit 
value of the binary codes is "1" described above 
{0,3,4,7,8,9,10,12,16,20,26,27,29,31}, destination port 
pport (80) and protocol pp (1), as the keys of the hash 



function, and substitutes the keys into two hash functions 
h. to obtain the following 28 (K x W) sets of addresses 
that point to a hash space H' : 

d 

[0097] hl(0,80,l)=60, hl(3,80,l)=l, hl(4,80,l)=107 , 

hl(7,80,l)=8 , hl(8,80,l)=39, 
[0098] hl(9,80,l)=61, hl(10,80,l)=40, hl(12,80,l)=55 , 

hl(16,80,l)=83, 
[0099] hl(20,80,l)=97, hl(26,80,l)=24, hl(27,80,l)=66, 

hl(29,80 J l)=70 J 
[0100] hl(31,80 J l)=24 

[° 1 01] h2(0,80,l)=25 J h2(3,80,l)=33, h2(4,80,l)=l ■ 

h2(7,80,l)=66 , h2(8,80,l)=51, 
[0102] h2(9,80,l)=43, h2(10,80,l)=37, h2(12,80,l)=13 , 

h2(16,80,l)=90 , 
[0103] h2(20,80,l)=69, h2(26,80,l)=22, h2(27,80,l)=91, 

h2(29,80,l)=lll , 
[0104] h2(31,80,l)=121 

[0105] According to the 28 sets of addresses that point to the 
hash space H' , the method presents the destination 
packet characteristic value in the hash space H' . Then, 
the method collects all sets of the addresses that point to 
the hash space H' and adds the hash space H' into the 

d 



previous hash space HV For example, the method totals 
the bit values belonging to the same address to generate 
a hash space H'= H' + H' . The following presents the 

s d 

packet characteristic value sum. 
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[0107] The method sets the bit values which are out of the value 
"0" in the above mask characteristic value sum to "1" so as 
to present the packet characteristic value sets in the hash 
space H'. 
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[0109] The method performs operation checking: (H OR H ) XOR 
H. Then, we find that at least one bit value is out of the 
value "0", so the packet characteristic value set is not in- 
cluded in the mask characteristic value set. That means 
the packet p does not satisfy any firewall rule previously 
described, and so is allowed to pass the firewall. 

[0110] The method of speeding up packet filtering in the present 
invention utilizes a search filter to determine if one packet 
is covered by the range of the firewall rules in a fixed pe- 
riod of time and lets a large amount of packets be out of 
the range, considered as acceptable packets, rapidly pass 
the firewall so as to prevent excessive traffic in the net- 
work. On the other hand, a small amount of packets in- 
side the range possibly having problems can be further 
filtered with other packet filters of higher searching cost. 
Therefore, the present invention can reduce the searching 
time and improve searching efficiency, which cannot be 
achieved by the prior art. 

[° 1 1 1 ] Those skilled in the art will readily observe that numerous 
modifications and alterations of the device may be made 
while retaining the teachings of the invention. Accord- 
ingly, the above disclosure should be construed as limited 
only by the metes and bounds of the appended claims. 



